Financial Cryptography

NATO opines on cyber-attacks -- Stuxnet was an act of force

We've all seen the various rumours of digital and electronic attacks carried out over the years by the USA on those countries it targets. Pipelines in Russia, fibre networks in Iraq, etc. And we've all watched the rise of cyber-sabre rattling in Washington DC, for commercial gain.

What is curious is whether there are any limits on this behaviour. Sigint (listening) and espionage are one thing, but outright destruction takes things to a new plane.

Which Stuxnet evidences. Reportedly, it destroyed some 20% or so of the Iranian centrifugal capacity (1, 2). And, the tracks left by Stuxnet were so broad, tantalising and insulting that the anti-virus community felt compelled to investigate and report.

But what do other countries think of this behaviour? Is it isolated? Legal? Does the shoe fit for them as well?

Now comes NATO to opine that the attack was “an act of force”:

The 2009 cyberattack by the U.S. and Israel that crippled Iran’s nuclear program by sabotaging industrial equipment constituted “an act of force” and was likely illegal under international law, according to a manual commissioned by NATO’s cyber defense center in Estonia.

“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force,” according to “The Tallinn Manual on the International Law Applicable to Cyber Warfare.”

Michael N. Schmitt, the manual’s lead author, told The Washington Times that “according to the U.N. charter, the use of force is prohibited, except in self-defense.”

That's fairly unequivocal. What to make of this? Well, the USA will deny all and seek to downgrade the report.

James A. Lewis, a researcher at the Center for Strategic and International Studies, said the researchers were getting ahead of themselves and there had not been enough incidents of cyberconflict yet to develop a sound interpretation of the law in that regard.

“A cyberattack is generally not going to be an act of force. That is why Estonia did not trigger Article 5 in 2007,” he said, referring to the coordinated DDoS attacks that took down the computer networks of banks, government agencies and media outlets in Estonia that were blamed on Russia, or hackers sympathetic to the Russian government.

Cue in all the normal political tricks to call white black and black white. But beyond the normal political bluster and management of the media?

Under the U.N. charter, an armed attack by one state against another triggers international hostilities, entitling the attacked state to use force in self-defense, and marks the start of a conflict to which the laws of war, such as the Geneva Conventions, apply.

What NATO might be suggesting is that if the USA and Israel have cast the first stone, then Iran is entitled to respond. Further, although this conclusion might be more tenuous, if Iran does respond, this is less interesting to alliance partners. Iran would be within its rights:

[The NATO Manual] makes some bold statements regarding retaliatory conduct. According to the manual's authors, it's acceptable to retaliate against cyberattacks with traditional weapons when a state can prove the attack lead to death or severe property damage. It also says that hackers who perpetrate attacks are legitimate targets for a counterstrike.

Not only is Iran justified in targetting the hackers in Israel and USA, NATO allies might not ride to the rescue. Tough words!

Now is probably a good time to remind ourselves what the point of all this is. We enter alliances which say:

Article 5 of the NATO treaty requires member states to aid other members if they come under attack.

Which leads to: Peace. The point of NATO was peace in Europe, and the point of most alliances (even the ones that trigger widespread war such as WWI) is indeed peace in our time, in our place.

One of the key claims of alliances of peace is that we the parties shall not initiate. This is another game theory thing: we would not want to ally with some other country only to discover they had started a war, to which we are now dragged in. So we all mutually commit to not start a war.

And therefore, Stuxnet must be troubling to the many alliance partners. They see peace now in the Middle East. And they see that the USA and Israel have initiated first strike in cyber warfare.

This is no Pearl Harbour scenario. It's not even an anticipatory self-defence, as, bluster and goading aside, no nation that has developed nuclear weapons has ever used them because of the mechanics of MAD - mutually assured destruction. Iran is not stupid, it knows that use of the weapons would result in immediate and full retaliation. It would be the regime's last act. And, as the USA objective is regime change, this is a key factor.

So it is entirely welcome and responsible of NATO -- in whatever guise it sees fit -- to stand up and say, NO, this is not what the alliance is about. And it can't really be any other way.

After a decade of bad banking, finally some Good News: Cyprus forced to shut down a bad bank!

From the ghoulish department of "good news unless you're affected" comes the story that the Cyprus government has agreed to the terms of the Troika:

Cypriot President Nicos Anastasiades agreed to shut the country’s second-largest bank under pressure from a German-led bloc in a night-time negotiating melodrama that threatened to rekindle the debt crisis and rattle markets.

...

The revised accord spares bank accounts below the insured limit of 100,000 euros. It imposes losses that two EU officials said would be no more than 40 percent on uninsured depositors at Bank of Cyprus Plc, the largest bank, which will take over the viable assets of Cyprus Popular Bank Pcl (CPB), the second biggest.

Cyprus Popular Bank, 84 percent owned by the government, will be wound down. Those who will be largely wiped out include uninsured depositors and bondholders, including senior creditors. Senior bondholders will also contribute to the recapitalization of Bank of Cyprus.

This is how it should be. In order to avoid moral hazard - the laziness from complete insurance - the people responsible must suffer the consequences of their judgement. The bond holders must be left short. The creditors -- uninsured depositors [0] -- must lose. The shareholders must be wiped out. The employees must be sacked, and officers in positions of material decision making must be pursued.

Only when that message gets out across Europe, and the world, will the people who choose to do business with their bank begin to regulate their bank.

Or withdraw their funds; which is the safety mechanism in a sound system against bad banking [1]:

Second, the commitment to the convertibility would provide an effective discipline against goldsmith-bankers who issued an excess of notes. When banks issued convertible notes, their circulation would be limited by the demand to hold them. That demand would depend on such factors as the precise features of the convertibility contract (for example, whether the depositor had to give notice when he wanted to withdraw his deposit), the bank's reputation, the familiarity of its notes, the number of branches it maintained, and so on. Any notes issued beyond the demand to hold them would be returned for redemption.

The law for banks might have changed, but the laws of banking do not.

---

[0] Should the insured depositors be wiped out? That is a more subtle issue. Maybe another day.

[1] This is not the end to the Cyprus story. Although the remedy is correct there are still questions to ask. Who owns the bonds? It turns out that a large part of the bonds have been put as collateral for emergency lending to the ECB. Which is then guaranteed by the national central bank. Oops. Story yet to unfold.

How much for an island in the sun, Mr Putin?

The Cyprus news flows in, thick and fast. There are only a few major points. As expected from any nation made of /ellos con cajones/, the Cypriots slapped down the European offer, 36 to nothing (much). The problem here can be seen as the curse of a small democratic nation -- which is to say, the representatives probably still have to answer to their constituency, unlike their more sophisticated northern counterparts.

Meanwhile, the Europeans are perhaps left bemused at the fail of the bid. They gave it their best shot, non? What now?

There is another offer on the table.

Cypriot Finance Minister Michael Sarris flew to Moscow on Tuesday to seek Russian financial assistance. He denied by text message reports that he had resigned, which rattled nerves as lawmakers were poised to vote.

Let's sum up the friendship. The Russians already loaned in 2.5bn, sans Eursury. They're hopping mad at being excluded from the conference of debtors. They're also a bit red faced -- slap slap -- at repeated allegations of hot money. Further, although the media plays shy on this one, it turns out that Cyprus has become a nice little center for serious, legal, solid Russian business. As well as a destination for that soon to be listed endangered species: English common law.

NYT says more:

The din of criticism from Moscow signaled the importance of Cypriot offshore financing for the Russian economy. The island has long served as an escape valve for Russian businessmen. Some are surely dodging local taxes. Others, paradoxically, are seeking better courts in the British law system practiced in Cyprus.

Offshore domiciles are so ingrained in the post-Soviet way of doing business in Russia that Cypriot shell companies are linked not only with money launderers and organized crime, but well-established companies like the metals giant Norilsk Nickel.

H/T to naked capitalism and Lynn in comments on that one. Naked capitalism does not go so far on this, but I wonder: This is one hell of a friendship.

For some number around 10bn, plus/minus, perhaps the Russians get to buy into Europe. As long as they (a) respect the english common law tradition, (b) leave the islanders to live out their happy sun-kissed lives, and (c) sort out the banks, what objection could there be, nyet?

Not to mention, Nota bene to students of long Russian strategy & short Middle Eastern futures, pay no attention to the hands,... Cyprus is a warm weather port.

Cyprus deposit holders to take a 7-10% loss -- perversely this the right Cure, and it may Kill the Patient

News over the weekend has it that Cyprus has agreed to a bailout, but in exchange for the most terrible of conditions: Cypriot depositors are to be taxed at rates from 6.75% to 9.9% of their deposits.

This is utter madness, and the reasons are legion. Speaks the Economist:

EVERYONE agrees that taxpayers should be protected from the cost of bailing out failing banks. But imposing blanket losses on creditors is still taboo. Depositors have escaped the financial crisis largely unscathed for fear of sparking panic, which is why the idea of hitting uninsured depositors in Cypriot banks has caused policymakers angst.

You muck around with deposit holders or your own people at your peril. There is now a fair chance of a bank run in Cyprus, and a non-trivial chance of riots.

Further, the bond holders don't get hit. Not even the unprotected ones!

Worse, yet, the status of deposit is enshrined in a century of law, decisions and custom. It is not going to be clear for years whether the law will sustain ahead of legal challenges. Consider the mess about Greek bonds in London, and that allegedly big powerful Russian oligarchs are involved? A legal challenge is a dead certainty.

Finally, and what is the worst reason of all - the signal has been sent. What happened to the Cypriots can and will happen to the Spanish. And the Italians. And if them, the French. And finally, those safe in the north of Europe will now see that they are not safe.

The point is not whether this will happen or not: the point is whether you as an individual saver wish to gamble your money in your bank that it won't happen?

The direction of efforts to improve banks’ liquidity position is to encourage them to hold more deposits; the aim of bail-in legislation planned to come into force by 2018 is to make senior debt absorb losses in the event of a bank failure. The logic behind both of these reform initiatives is that bank deposits have two, contradictory properties. They are both sticky, because they are insured; and they are flighty, because they can be pulled instantly. So deposits are a good source of funding provided they never run. The Cyprus bail-out makes this confidence trick harder to pull off.

Other than that, it is a really good deal.

In short words, Cyprus bail out means: start a run on European banks. Only time will tell how this goes on.

What's to take solace? Perversely, there is an element of justice in this decision. Moral hazard is the problem that has pervaded the corpus bankus for a decade now, and has laid low the financial system.

Moral hazard has it that if you fully insure the risk, then nobody cares. And indeed, nobody in the banking world cares, it seems, since they've all acquired TBTF status. None of the people care, either, as they happily deposited at those banks, even knowing that the financial sector of Cyprus was many times larger.

Go figure ... here comes a financial crisis, and our banks are bigger than our country? What did the Cypriot people do? Did they join the dots and wind back their risk?

However the figures are massaged down, the nub of the problem will remain: a country with a broken banking model. Unlike Greece, brought low by its unsustainable public finances, Cyprus has succumbed to losses in its oversize banks. By mid-2011 the Cypriot banking sector was eight times as big as GDP; its three big commercial banks were five times as large.

No. Moral hazard therefore has it the stakeholders must be punished for their errors. And the stake holders of last resort are the Cypriot people, or at least their depositors. And their pensioners, it seems:

In practice the main answer will be to dragoon Cyprus’s pension funds and domestic banks into financing the €4.5 billion of government bonds due to be redeemed over the next three years.

It is highly likely that Cypriot pensioners will lose the lot, as it worked for Spain.

Which does nothing to obviate the other arguments listed above. Regardless of this sudden and surprising display of backbone by the Troika, it is still madness. While we may actually be on the cusp of cure to the disease, the patient might die anyway.

European leaders could at long last bite the bullet and insist on a bail-in of bank creditors to cover expected losses. The snag is that any such action would set alarm-bells ringing for investors with serious money at stake in banks elsewhere in the euro area. Mario Draghi, the ECB’s president, said on March 7th that “Cyprus’s economy is a small economy but the systemic risks may not be small.”

Watch Cyprus with interest, as if your future depends on it. It does.

It all started as a noble idea - Identity Cards in Uganda

Another in an occasional series addressing the cost of identity. It turns out that Uganda has so far spent a whopping 600 million shillings per identity card, as reported by Nicholas Kalungi:

It all started as a noble idea. Every Ugandan holding a National Identity Card (NIC) that would be acceptable for elections, to financial institutions, travel within East Africa and more. A decade down the road, with about Shs240 billion spent, only 401 identity cards have been issued. Uganda is a country of about 33 million people.

Even converted to USD, that turns out to be $226,642 per card. Oh, and:

Also of concern is the fact that the ID cards yet to be issued is will use barcode technology instead of the smartcard technology that uses a chip.

A chip can accommodate a lot more information, such as medical records, criminal records, educational data, driving permits and social security data. It can also authenticate fingerprints and photographs, which are additional safeguards against forgery. Blank ID cards using the barcode technology will cost the government 22.5 million euros (Shs63 billion) for 15 million cards, amounting to $2 per card.

This sounds like one of those frequent cases of inept importing of western notions -- bad enough in their own territory, where the sole justification turns out to be "we can afford it" -- into places where it enters the realm of fantasy.

In somewhat proof of this, the market has responded:

Thousands of Ugandans have resorted to using local council (LC) stamped identification cards (IDs) as national IDs.

This comes at the back of the government’s failure to implement the national ID project that would enable citizens have a uniform identification document. For a decade now, the national ID project has been mired in corruption allegations and internal fights over who should be in charge of the multi-billion shilling project.

The multiple delays in the national ID project have left people with no alternatives save for exploiting alternatives and creating their own IDs-labeling them as “Citizens” identifications. One of the booming businesses on the streets of Kampala, taxi parks and at local council offices across the country is making, selling and issuing IDs.

A week-long investigation around Kampala showed that these IDs are of two types. One type bears the word ‘Resident’ on the cover while another brand bears the word ‘Citizen’ on the cover. They are mainly made at Nasser and Nkrumah roads in Kampala.

Several centres along these Streets are famous for originating all sorts of fake documents that include, among others, academic certificates ranging from bachelor’s degrees, diplomas and of recent PhDs. The wholesale price range for ‘’Citizen” and “Resident” IDs are between Shs300 and Shs1, 000.

How does this work?

After buying the card from Nasser Road or any other outlet, you get a passport photo and take it to a local council official who at between Shs3,000 and Shs20,000 approves and stamps it to confirm that you are a citizen of Uganda or a resident of a given area.

One John Muyomba, a resident of Kasubi, tells this newspaper that he acquired a citizens ID from his local chairman a year ago and it has been doing wonders for him following the expiry of his university ID. “I paid Shs5,000 and took two passport size photos. I presented a friend at the LC office as a referee and got the ID. ...

At around 2600 shillings to the USD, we are looking at from $1 to $4 for the card, and $12 to $80 or so for the certification. Now divide those numbers by the average daily wage -- about $1 -- to get a view as to their purchasing-power-parity cost.

Prone to abuse
For one to get this acquired ID stamp, all they need is a person to recommend them to an LC leader that he/she is a resident of an area. “We always ask the person seeking our approval to come with a resident of the area to prove that they are Ugandans or resident of that area,” says Bright Kashaka, an LC chairperson in Kisenyi, a Kampala suburb.

When this reporter visited a local council office in an area he neither works from nor resides, he was told by the people he found at the office to pay Shs10, 000 and present a passport photo after which he would have one ID issued. From this discovery, it became clear that you only need to have money and passport size photos to a citizen or resident ID.

What's going on here is that the market for documents has stepped in to provide the physical carrier, and the market for local councils has stepped forth to provide the certification. This seems like an efficient solution, especially when we factor in the experience of government-led production experiments.

Curiously, it also makes the case that an ID of any form is a good thing, as shown by the thriving market, evidencing demand from somewhere.

"...It is this ID that I used to register my Sim card and to get an account at one of the banks,” says Muyomba. While, these IDs seem to be serving different purposes, for example, local identification and Sim card registration, among others, the ease at which they are acquired, stamped and issued is worrying.

Worrying? For those who suffer angst from any free-market solution, the trick is to see free-market identity cards as an intermediate between nothing and some hypothetical perfect identity proof. Of course, all forms of identity documents are just that, an intermediate between nothing and perfection, so the argument turns on whether the market can do a better or worse job, for more or less money, than say a given government endeavour.

In Uganda, the answer is strongly in favour of the market.

However, if you are good with numbers, one observation must strike out and slap at the face: why is the cost of the Local Council certification so high? At from 3000 to 20000 shillings, that translates to from one to eight day's worth of average earnings.

The answer is almost certainly corruption. The fact that there are variable prices is a bit tip-off, and the indication of a special price for a newcomer is a dead giveaway. There may, or may not be a local government listed price for the certification, as that is not evidenced in these articles, but any variation of that base price is likely going straight into the pockets of the corrupt local government officials.

If we take the 3000 as a base price, this indicates that corruption is many times more than the honest LC cost-based price alone.

And it is this factor that slows these countries down. Corruption, created almost universally by government mandate. (Effects of corruption in Ghana.) In this case the local council monopoly on certifications, makes the cost of business far higher than it is in western countries, when converted to PPP numbers. And now we find the incestuous circle of government intervention leading to this corruption:

Lately, telecommunications companies and Uganda Communications Commission (UCC) have been blaming the absence of national IDs as the main challenge affecting the on-going Sim card registration process. Even though the process has been extended untill August, millions are still unregistered and the main reason cited is absence of recognised identification mainly in rural areas that are mandatory before anyone registers a Sim card. The effort to procure national IDs has been on for since 2001.

The requirement for LC-stamped Ids is driven by ... government rules for SIM registration. In what is a widely acknowledged economic miracle -- the rollout of unidentified cell phones across Africa -- someone, somewhere has decided we need identity for each user of a cell phone. Thus putting the brakes on the one thing that Africa got right.

What's the benefit to slowing down Africa's economic miracle? Why do we want to slow down the ability of locals to afford necessities like mosquito nets? If we dig a little deeper, it will almost certainly evidence itself once again: inept importation of bad Western notions into a place where they simply make no sense. Which will continue until the locals get a clue:

Until the production and selling of fake IDs is made illegal however, the different between a non-citizen, foreign and criminal holding the fake IDs is only a stamp hit.

These western notions are so easy to believe, and so very wrong.

How to use PGP to verify that an email is authentic

Ironic as xkcd nails it, at least one can draw the picture. What instruction would one draw for secure browsing these days?

google leads the world in ... oddball interview questions... ?!? (part 1 in a rant on searching for your HR mission)

Human Resources is one of those areas that seemed fatally closed to the geek world. Warning to reader: if you do not think Human Resources displays the highest volatility in ROI of any decision you can make, you're probably not going to want to read anything more of this rant. However, if you are bemused about oddball questions asked at interviews, maybe there is something here for you.

A rant in three parts (I, II, III).

Let's talk about google, which leads the world in infamous recruiting techniques. So much so that an entire industry of truthsayers, diviners and astrologers have sprung up around companies like it, in order to prepare willing victims with recipes of puzzlers, newts eyes and moon dances.

Why is this? Well, one of the memes in the press is about strange interview questions, and poking sly fun at google in the process:

• "Using only a four-minute hourglass and a seven-minute hourglass, measure exactly nine minutes--without the process taking longer than nine minutes,"
• "A man pushed his car to a hotel and lost his fortune. What happened?"

These oddball questions are all very cute and the sort of teasers we all love to play as children. More. But what do they have to do with google?

To be fair to them, it looks like google don't ask these questions at all and indeed may have banned them entirely but we need a foil to this topic, so let's play along as if they do spin some curveballs for the fun of it.

Let's answer the implied question of "what's the benefit?" by reference to other so-called oddball questions:

• "If Germans were the tallest people in the world, how would you prove it?" -- Asked at Hewlett-Packard, Product Marketing Manager candidate
• "Given 20 'destructible' light bulbs (which break at a certain height), and a building with 100 floors, how do you determine the height that the light bulbs break?" -- Asked at Qualcomm, Engineering candidate
• "How do you feel about those jokers at Congress?" -- Asked at Consolidated Electrical, Management Trainee candidate

The first one is straight marketing, understanding how to segment the buyers. The second is straight engineering, and indeed every computer scientist should know the answer: binary search. Third one? How to handle a loaded question.

So, all these have their explanation. Oddball questions might have merit. They are searching... but more than that, they are *directly related to the job*. But what about:

• "How would you cure world hunger?" -- Asked at Amazon.com, Software Developer candidate

A searching question, I'll grant! But this question has flaws. Other than discovering ones knowledge of modern economics (c.f., Yunis, de Soto) or politics or entrepreneurship or farming, how does it relate to ... software? Amazon? Retail markets? It doesn't, I'll say (and I'll leave what it does relate to, and how dangerous that is, as an exercise to the reader after having read all 3 posts).

Now back to google's alleged questions. First above (hourglasses) was a straight mathematical teaser, but maths has little to do with software. OK, so there is a relationship but these days *any discipline on the planet* is about as related as mathematics, and some are far more relevant. We'll develop this theme in the next post.

Second question above, about pushing cars to a hotel. What's that about? Actually, the real implied question is, "did you grow up with a certain cultural reference?" Again, nothing to do with software (which I think google still does) and bugger all to do with anything else google might get access to. Also rather discriminatory, but that's life.

In closing, I'll conclude: asking or being asked oddball questions is not a correlation with a great place to work. Indeed, chances are, it is reversely correlated, but I'll leave the proof of that for part 2.